package com.example.student.controller;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/api/students")
public class StudentController {

    @GetMapping
    @PreAuthorize("hasAnyRole('ADMIN', 'DIRECTOR', 'TEACHER')")
    public String listStudents() {
        return "学生列表";
    }

    @PostMapping
    @PreAuthorize("hasAnyRole('ADMIN', 'DIRECTOR')")
    public String addStudent() {
        return "添加学生";
    }

    @PutMapping("/{id}")
    @PreAuthorize("hasAnyRole('ADMIN', 'DIRECTOR')")
    public String updateStudent(@PathVariable Long id) {
        return "更新学生信息";
    }

    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public String deleteStudent(@PathVariable Long id) {
        return "删除学生";
    }

    @GetMapping("/{id}/scores")
    @PreAuthorize("hasAnyRole('ADMIN', 'DIRECTOR', 'TEACHER') or @securityService.isCurrentUser(#id)")
    public String viewStudentScores(@PathVariable Long id) {
        return "查看学生成绩";
    }
} 